Article 8
Conditions applicable to child's consent in relation to information society services

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 8 keyboard_arrow_down Hide the recitals of the Regulation related to article 8 keyboard_arrow_up

(38) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

There is no recital in the Directive related to article 8.

The GDPR

According to recital 38 of the Regulation, children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. The use of personal data relating to children for purposes of marketing or creating personal or user profiles and the collection of data relating to children during the use of services provided directly to a child are particularly concerned.

Therefore, Article 8 of the Regulation provides that the processing of data relating to a child within a direct offer of information society services (see Article 1er, 2 of Directive 98/34EC of 22 June 1998) is lawful for children aged at least 16 years. With respect to children under the age of 16, the controller must obtain the consent to the processing from the holder of parental responsibility.

However, the Regulation allows the Member States to authorise the processing of data relating to a child under 16 years for these purposes without the authorization of the holder of parental responsibility, as long as this age is not less than 13 years.

In other words, children under the age of 16 years must get permission from the parents to open an account on social media such as Facebook, Instagram , or Snapchat, as is already the case in most of the countries of the Union at the present time, unless the Member State has provided a lower age whицх cannot, in any event be under 13 years of age (see Press release of the Committee on Civil Liberties, Justice and Home Affairs of 17 December 2015, REF. : 20151217IPR08112).

Initially, Parliament's negotiators wanted an age limit of 13 years across Europe. However, the Member States did not reach a consensus on this age. Accordingly, the Member States may set their own limits as long as they are neither less than 13 years, nor more than 16 years. This flexibility was introduced at the insistence of the Member States, so that they can keep the limits that they already apply.

It is up to the controller to make reasonable efforts to ensure that the consent is given by the holder of parental responsibility, given the technology available.

Finally, the provision specifies that it does not affect national law in contractual matters which would include specific rules on the validity, the training or the effects of a contract in respect of a child.

The Directive

Neither the Directive nor the analysed national laws contained such a provision.

Potential issues

The validity of the child’s consent over the Internet raises an obvious problem. Not only because the free and informed nature of such consent can often be discussed, but also its validity may vary from one state to another. Article 8 seems to take this into account and obviously wants to tackle the problem.

There are no definitions (of the child and the holder of parental responsibility) while they were present in the first version of the Regulation.

Ultimately, such a provision is intended to prohibit the controller to base processing on the consent of children under the age of 16 , or under  the age of 13 according to the law of the Member State concerned.

This flexibility recognized by Member States goes against the will of harmonization of the rules at European level and may cause legal uncertainty in the responsibility of the controllers who will have to take into account the specificities of each Member State in order to ensure the legality of their processing.

Regulation
1e 2e

Art. 8

1.   Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2.   The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

3.   Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

1st proposal close

Art. 8

1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.

2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.

4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

2nd proposal close

Art. 8

1. Where Article 6 (1)(a) applies, in relation to the offering of information society services directly to a child, the processing of personal data of a child (...) shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child or is given by the child in circumstances where it is treated as valid by Union or Member State law.

1a. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

3. (...)

4. (...)

 

Directive close

There is no specific provision

Section 5 GDPR Implementation Law. Consent of legal representative

1. If article 8 of the Regulation does not apply and if the data subject had not yet reached the age of sixteen, the consent of his or her legal representative is required instead of his or her consent.

2. If the data subject had been placed under guardianship or is subject to protective administration or protection order, the consent of his or her legal representative is required instead of his or her consent in situations where the data subject has no legal capacity or authority.

3. Such consent may be withdrawn by the data subject’s legal representative at any time.

4. In situations where the data subject has no legal capacity or authority, the rights referred to in Chapter III of the Regulation are exercised by the legal representatives of data subjects who have not yet reached the age of sixteen, data subjects who have been placed under guardianship and data subjects who are subject to protective administration or protection order.

5. This section does not apply to assistance or counselling services offered directly and free of charge to a minor or a person who has been placed under guardianship.

close